Some Advice on Privileges
E. Eugene Schultz
Excerpted from Windows NT/2000 Network Security, by E. Eugene Schultz, published by New Riders.
Windows NT's privilege-structuring scheme offers reasonable opportunity for controlling against the dangers of out-of-control privilege allocation. The existence of multiple levels of privilege in both Windows NT Server and Workstation allows a reasonable degree of granularity of privilege assignment. Ideally, multiple Windows NT domains might have only two persons, a primary and a backup administrator, with full administrator-level privileges. Others with lower levels of privileges might also perform other tasks, such as creating and deleting unprivileged accounts and managing servers. The most important point, however, is that adhering to the principle of least privilege is essential in protecting against unauthorized or misused privilege access. Assign users the minimum level of privileges needed to get their jobs done.
If a user needs only to read electronic mail, edit files, and access certain databases, do not assign anything more than user-level privileges to that user. And do not be misled by what appears to be safety in assigning only guest-level privileges to users who do not need much access to a Windows NT Workstation or domain. The baseline of privileges for all practical purposes is user-level privileges.
Privilege assignment on the basis of individual accounts for all practical purposes becomes unmanageable when the number of users becomes greater than a few dozen. Therefore, assignment to groups is (in most Windows NT deployments) the only realistic way to assign and control privileges in anything but very small Windows NT deployments. Group-based privilege assignment has many drawbacks, however, one of the most important of which is the increased likelihood of group-inclusion errors. You might, for example, accidentally put a user in a privileged group even though you meant to place this person in another, unprivileged group. Another possibility for error arises when users resign or get moved to other organizations. In Windows NT, therefore, it is extremely important to frequently check the composition of groups, particularly privileged groups, to look for unauthorized changes and suspicious inclusion in groups.
Privilege Structuring in Windows 2000: Major Changes
In Windows 2000, administrator per so is no longer a necessary privilege level to administer systems. You can assign rights to users in an extremely granular fashion. One group of users who administer systems may be assigned most of even all of these rights; another group, also created to administer systems, may be assigned only a relatively small subset of these rights. The new rights-assignment scheme will enable rights to be assigned directly on the basis of business and/or operational needs rather than on the basis of the rights of preexisting groups such as the administrator, server operator, account operator groups in Windows NTY 4.0. Alternatively, you can use the basic Windows NT 4.0 rights-assignment scheme based on the same default privileged groups that Windows NT 4.0 has.
This was first published in December 2000